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(57) Abstract 

An authentication in a GSM based mobile comunications system 
relies on a challenge and response principle. A 32-bit Signed Response 
(SRES) parameter is calculated by A3 algorithm from a 128-bit Random 
Number (RAND) and a 128-bit Authentication Key Kj in a mobile 
station and in an authentication center, and the SRES values are 
compared. A CAVE algorithm having a 152-bit input parameter and 
an 18-bit output parameter is employed as the A3 algorithm. Paramater 
adaptation functions are provided between the input parameter of the 
CAVE algorithm and the GSM type input parameters, namely the 
random number RAND and the authentication key Kj, as well as between 
the output parameter of the CAVE algorithm and the GSM output 
parameter, namely the signed response SRES. 
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Subscriber authentication in a mobile communications 
system 

Field of the invention 

5 The present invention relates to security 

functions in mobile communications networks, and 
particularly to a subscriber authentication in mobile 
communications networks . 

10 Background of the invention 

In all telecommunication networks both the users 
and the network operator have to be protected against 
undesirable intrusion of third parties as far as 
possible . Thus several kinds of security functions are 

15 needed in the networks. The major aspects of the network 
security are 1) the protection of the information that 
the network conveys ; and 2) authentication and access 
control of the users of the network. The major security 
mechanism for the protection of information is , and is 

2 0 likely to remain, some form of encryption. Authenti- 
cation is a means of trying to ensure that information 
comes from the source it is claimed to come from. It is 
typically based on passwords and keys. Access rights are 
assigned in terms of the ability to send and/or receive 

2 5 via the transmission medium. Also access mechanisms 

typically depend on some form of password or key. 

Due to the use of radio communications for 
transmissions to the mobile subscribers, radio accessed 
networks , such as Public Land Mobile Networks (PLMN) , 
30 are particularly sensitive to misuse of their resources 
by unauthorized users and eavesdropping on the 
information which is exchanged on the radio path. This 
comes from the possibility to listen to and transmit 
radio signals from anywhere, without tampering with 

3 5 user's or operator's equipment. It can be seen that 
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PLMNs have a need for a higher level of security than 
traditional telecommunication networks. 

The pan-European digital cellular radion which is 
known as GSM (Global System for Mobile Communications) 
5 contains a highly secure authentication system. It is 
based on socalled challenge and response principle. At 
subscription time a secret number called a Subscbiber 
Authentication Key (K A ) is allocated to the subscriber 
together with an International Mobile Subscriber 

10 Identity (IMSI). K± is stored in a special purpose 
element of the GSM network, called an Authentication 
Center (AUC) which is associated with or linked to a 
Home Location Register (HLR) of the subscriber. AUC 
contains also a ciphering algorithm, called A8 , and an 

15 authentication algorithm, called A3, as well as a 
generation of random numbers RAND. A parameter called a 
ciphering key K c is generated from K t and RAND by the 
algorithm A8 . Similarly, a parameter called a Signed 
Response SRES is generated from K L and RAND by the 

20 algorithm A3. The three parameters RAND, K c and SRES make 
up a "triplet" specific of a subsriber to be used for 
further authentication and ciphering. In order to avoid 
calculation and transfer of triplet every time it is 
needed, several triplets are calculated in advance for 

25 each subscriber by AUC/HLR and on request delivered to a 
Visitor Location Register VLR and a Mobile Services 
Switching Center (MSC) there they are stored. MSC/VLR 
will always have at least one triplet unused for each of 
its visitor subscribers. Tight security requires that a 

3 0 triplet is used only once, for one communication, and is 
then destroyed. When a subscriber has used all it's 
available triplets, the AUC/HLR is then requested to 
calculate and send back a new series. 

A GSM mobile station is split into two parts, one 

35 which contains the hardware and software specific to the 
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radio interface, the mobile equipment, and and another 
which contains the subscriber specific data: the 
Subscriber Identity Module or SIM. Each subscriber has 
the SIM, typically in a form of a smart card, which 
5 takes responsibility for most of the security functions 
at the mobile station side. It stores Ki, the 
authentication algorithm A3 and the ciphering algorithm 
A8, as well as the ciphering key K c received from the 
network side. 

10 During authentication, the VLR/MSC sends the 

random number RAND (and also KJ of the triplet to the 
mobile station. The mobile station, more particularly 
the SIM, processes RAND using the authentication 
algorithm A3 and the authentication key K i# and returns 

15 the resulting Signed Response SRES to the VLR/MSC. This 
SRES is checked against the SRES of the triplet given by 
the HLR to. If the two SRESes are equal to each other, 
the access is allowed, and otherwise denied. 

All the security mechanism in the GSM rely on 

20 secrecy of authentication key K t is never transmitted 
and never leaves the AUC/HLR. Also the SIM protects 
completely K L against reading. Because the mathematical 
algorithm A3 works only one way (one-way trap door 
function) it is impossible to derive the key Ki from the 

25 RAND-SRES pairs transmitted. Further the authentication 
algorithm A3 itself is a secret algorithm, it can not be 
found even in the GSM specifications. The specifications 
only require that computation of K A knowing RAND and SRES 
should be as complex as possible. This level of 

30 complexity determines which security level has been 
achieved. Beyond this requirement, the only constraint 
imposed on A3 is the size of the input parameter (RAND 
is 128 bits long) and the size of the output parameter 
(SRES must be 32 bits long) . K L can be of any format and 

3 5 lenght when stored in Auc/HLR, only if K 4 would be 
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transported in the network it would be constrained to a 
maximum lenght of 128 bits. In fact, the design choices 
of GSM, both in the mobile station and in the 
infrastructure, make it possible for the operators to 
5 choose the A3 applicable to their own subcsribers 
independently from other operators. 

In the U.S. A a digital cellular system called 
Personal Communications System (PCS) is under 
development . The US PCS is based on the GSM system in a 

10 great extent, especially as regards network architecture 
and protocols, including the security functions. 
However, some minor modifications are being made in 
various parts of the system. One potential modification 
might be that authentication algorithm A3 used in the 

15 GSM system would be replaced by CAVE algorithm in the US 

PCS since the CAVE algorithm has been developed in the 
USA and is already used in analog AMPS networks 
(Advanced Mobile Phone Service) . The CAVE algorithm 
which might be suitable to be used for authentication in 

20 the PCS system would have an 152 -bit input parameter 
consisting of a number of concanated information fields, 
and a 18 -bit output parameter, whereas the A3 algorithm 
in the GSM has the 12 8 -bit K L and RAND parameters as 
input parameters and 3 2 -bit SRES parameter as an output 

25 parameter. Therefore, replacement of A3 with the CAVE 
algorithm in a GSM based mobile communications system is 
not possible without further modifications. However, 
modifications may easily affect in various protocols, 
functions, messages and data structures throughout the 

3 0 system and thereby make the CAVE algorithm technically 
and economically inattractive . A further disadvantage is 
that the compability with the GSM system will be lost, 
and consequently, for example, SIM roaming between the 
GSM and US PCS systems will not be possible. 



35 
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Summary of the Invention 

An object of the invention is to enable the use 
of the CAVE algorithm as the A3 algorithm in the GSM 
system or in a GSM based mobile communications network 
5 without incurring modifications in GSM authentication 
parameters . 

A further object of the invention is to enable 
the use of the CAVE algorithm as the A3 algorithm in the 
GSM system or in a GSM based mobile communications 
10 network without modifications in the GSM triplet data 
structure . 

A still further object of the invention is to 
enable the use of the CAVE algorithm as the A3 algorithm 
in the GSM system or in a GSM based mobile 
15 communications network but otherwise retain the security 
functions of the standard GSM system. 

One aspect of the invention is an authentication 
method for a mobile communications network, comprising 
steps of 

20 utilizing an authentication procedure intended to 

be used with a first authentication response calculation 
method, 

utilizing a second authentication response 
calculation method instead of said first authentication 
25 response calculation method, 

providing an authentication key compatible with 
said first authentication response calculation method 
but incompatible with said second authentication 
response calculation method, for each subscriber of said 
3 0 mobile communications network, 

generating a random number compatible with said 
first authentication response calculation method but 
incompatible with said second authentication response 
calculation method, 
35 deriving an input parameter compatible with said 
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second authentication response calculation method from 
said authetication key and said random number, 

calculating by said second autentication response 
calculation method an authentication response 
5 incompatible 

with a authentication response format of said 
authentication prosedure utilized in said mobile 
communications network, 

modifying said authentication response into a 

10 format compatible with said authentication response 

format of said authentication procedure, 

transferring and storing said authentication 
response in said mobile communications network in said 
format compatible with said authentication procedure. 

IS According to the invention parameter- adaptation 

functions are provided between the input parameter of 
the CAVE algorithm and the GSM type input parameters, 
namely the random number RAND and the authentication 
key Ki, as well as between the output parameter of the 

2 0 CAVE algorithm and the GSM output parameter, namely the 
signed response SRES. As a result no modifications are 
needed in the CAVE algorithm itself, nor it is necessary 
to depart from the GSM type security functions elsewhere 
than in the calculation of SRES in the authentication 

25 center AUC/HL.R and in the mobile station MS. 



Brief Description of the Drawings 

The preferred embodiments of the invention will 
30 be described with reference to attached drawing, wherein 
Fig. 1 is a block diagram illustrating a GSM 
based cellular mobile radio system, 

Fig. 2 is a functional block diagram of the prior 
art authentication and ciphering parameter processing 
3 5 unit in the authentication center AUC, 
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Fig. 3 is a functional block diagram of the prior 
art authentication and ciphering parameter processing 
unit in the mobile station MS, 

Fig. 4 is a functional block diagram of the the 
5 authentication and ciphering parameter processing unit 
in the MSC/VIiR, 

Fig. 5 illustrates the signalling related to the 
generation, transfer and use of the authentication and 
ciphering parameters, 
10 Fig. 6 is a functional block diagram of the 

authentication and ciphering parameter processing unit 
according to the invention in the authentication center 
AUC, 

Fig. 7 is a functional block diagram of the 
15 authentication and ciphering parameter processing unit 
according to the invention in the mobile station MS. 

Preferred Embodiments of the Invention 

The present invention can be applied in. the 

2 0 Paneuropean digital mobile radio system GSM or in any 

GSM based mobile radio system, such as DCS1800 digital 
communication system and the U.S. digital cellular 
system called Personal Communication System (PCS) . 
Although the preferred embodiment of the invention will 
25 be described as an application in a standard GSM system 
in the following, the primary field of the application 
will apparently be the PCS system in the U.S.A. The 
structure and operation of the GSM system are well known 
to one skilled in the art and defined in the GSM 

3 0 specifications issued the European Telecommunications 

Standards Institute ETSI. A reference is also made to 
the GSM system for a mobile communications, M.Mouly £ 
M.Pautet , Palaiseau, France, 19 92; ISBN2- 9507190 -0-7 . 

The basic structure of GSM system is shown in 
3 5 Figure 1. 
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The GSM structure consists of two parts: the base 
station subsystem (BSS) , and the network subsystem 
(NSS) . The BSS and the mobile stations MS communicate 
via radio connections. In the BSS, each cell is served 
5 by a base transceiver station (BTS) . A group of BTS is 
connected to a base station controller (BSC) whose 
function is to manage the radio frequencies and channels 
used by the BTS . The BSCs are connected to a mobile 
switching centre (MS) . The MSC is for switching calls 

10 involving at least one mobile station MS. Certain MSCs 

are connected to other telecommunication networks such 
as the public switched telephone network (PSTN) , and 
contain gateway functions for handling calls to and from 
these networks . These MSCs are known as gateway MSCs 

15 (GMSCs) . 

There are two main types of database concerned 
with the routing of calls. There is a home location 
register (HLR) that stores subscriber data on all the 
subscribers of the network on a permanent or 

2 0 semipermanent basis, including information on the 

services to which the subscriber may have access, and 
the current location of the subscriber. The second type 
of register is the visitor location register (VLR) . The 
VIjR is attached generally to one MSC, but it may, 
25 however, serve several MSCs. It is common practice that 
VLR is integrated into the MSC. This integrated network 
element is known as visitor MSC (VMSC) . Whenever a 
mobile station MS is active (logged on and able to make 
or receive a call) most of the mobile subscriber data 

3 0 about a mobile station MS that is held in the HLR is 

downloaded (copied) into the VLR of the MSC in whose 
area the mobile MS is . 

As noted above, in the mobile radio service, 
great care must by taken to prevent unauthorized call 
35 attempts and intrusion or listening-in by third parties. 
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Protection mechanisms in GSM system authenticate the 
calling or called mobile station, and use ciphering key- 
to encode speech and data on the traffic channel . 

The prior art mechanism according to the GSM 
5 specifications for providing authentication and 
ciphering keys will now be described with reference to 
Figures 2, 3, 4 and 5. 

At subscription time a secret number called a 
subscriber authentication key (K L ) is allocated to the 

10 mobile subscriber together with an international mobile 
subscriber identity (IMSI) . As shown in Figure 2, the 
authentication centre AUC comprises a database 20 which 
stores the authentication key K t for each mobile 
subscriber in the GSM network. K ± of the mobile 

15 subscriber can be retrieved from the database 20 using 
the IMSI of the mobile subscriber as an index. The AUC 
is further provided with an ciphering algorithm A8, an 
authentication algorithm A3, and a random number 
generator 21. The random number generator 21 provides 

20 random numbers RAND having length of 128 bits. The key K t 
retrieved from database 2 0 and the random number RAND 
from the random number generator 21 are used as input 
parameters in the authentication algorithm A3 to 
calculate the signed response SRES, and as input 

2 5 parameters in ciphering algorithm A8 to calculate the 
ciphering key K c for traffic channel encoding. The three 
parameters RAND, SRES and K c make up a triplet for a 
mobile subscriber . 

The triplets will be transferred further to the 

30 visited MSC/VLR to be used for authentication and 
ciphering as will be explained in more detail below. 

A triplet is used only once, for one 
communication, and is then destroyed. In order to avoid 
calculation and transfer of triplet every time it is 

35 needed, several triplets are calculated in advance for 
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each mobile subscriber by AUC/HLR and on request 
delivered to the visited MSC/VLR where they are stored. 

The visited MSC/VLR stores a reserve of a few of 
such triplets per subscriber to be retrieved at need. 
5 Referring to Fig. 4, there is shown an example of a 
security parameter file 40 maintained in the visited 
MSC/VLR. The file 40 contains n triplets l...n for each 
IMSI (subscriber) . 

This reserve in the security parameter file 40 is 

10 first established when the mobile subscriber first 
registers in the visited MSC/VLR: it is part of the 
subscriber data downloaded from the HLR in the INSERT 
SUBSCRIBER DATA message. When a subscriber has used all 
it's available triplets, the AUC/HLR is then requested 

15 to calculate and send back a new series. Referring to 

Fig. 5, this triplet replenishing produce consist of two 
messages: SEND PARAMETERS message and it's answer, SEND 
PARAMETERS RESULT message. The former message contains 
the IMSI of the mobile subscriber which is used to 

20 retrieve the Ki for calculation of the triplets as 
described above with reference to Fig. 2. The calculated 
triplets will be delivered to the MSC/VLR in the SEND 
PARAMETERS RESULT message and stored in the VLR. 

Referring further to Fig. 4, the mobile station 

25 MS sends an access request to the MSC/VLR. The MSC/VLR 
retrieves one of the triplets reserved for the 
subscriber of the mobile station MS in the security 
parameter file using the IMSI as an index. The MSC/VLR 
conveys on one hand the value of K c to the channel 

3 0 equipment in the BSC to be used in the traffic channel 
ciphering, and on the other hand the value of RAND to 
the MS in the AUTHENTICATION REQUEST message, as shown 
by block 41 in Fig. 4. On basis of the RAND the mobile 
station MS calculates the other values of the triplet 

35 (SRES and K c ) . 
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Referring to Fig. 3, the MS stores a copy of the 
ciphering key of the mobile subscriber, as well as the 
ciphering algorithm A8 and the authentication algorithm 
A3 . On receiving the AUTHENTICATION REQUEST message for 
5 the MSC/VLR, the MS extracts the RAND from the message, 
and then inputs the RAND and the stored K A to the 
algorithms A3 and A8 . For calculating the signed 
response SRES and the ciphering key K,., respectively. The 
calculated SRES will be conveyed to the MSC/VLR in the 

10 AUTHENTICATION RESULT message for completing the 
authentication as shown in Figs. 4 and 5. 

Referring to Fig. 4, the MSC/VLR extracts the 
value of SRES from AUTHENTICATION RESULT message (block 
42) and retrieves the stored value of SRES from the file 

15 40 (block 43) - Then, for this communication, prior to 
any other processing, the MSC/VLR "authenticates" the 
mobile subscriber by checking that the SRES calculated 
in the AUC/HLR is identical to the SRES calculated in 
the MS (block 44) . If the two values are identical, the 

20 access is granted (block 45) . If the two values are not 
identical, the access is denied (block 46) . 

The ciphering procedure is not relevant to the 
present invention and will not be described in more 
detail herein. 

25 as noted in the background art of the invention, 

it might be a need to use the CAVE algorithm as the 
authentication algorithm A3 in the USA a digital 
cellular system called Personal Communications System 
(PCS) , or other cellular systems based on the GSM system 

3 0 in a great extent, especially as regards network 
architecture and protocols, including the security 
functions. The CAVE algorithm has been developed in the 
USA and the availabilily of the CAVE algorithm 
information is governed under ITAR (U.S. International 

3 5 Traffic and Arms Regulation) . However, the CAVE is 
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already used in analog AMPS networks (Advanced Mobile 
Phone Service) and its input/output parameters are 
specified in EIA/TIA srandard IS-54. The CAVE algorithm 
has an 152 -bit input parameter consisting of a number of 
5 concanated information fields, and a 18 -bit output 
parameter. Problems are, however, encountered in the 
practical implementation due to the fact that the A3 
algorithm in the GSM system has the 128-bit K L and RAND 
as input parameters and 3 2 -bit SRES as an output 

10 parameter. 

These problems will be overcome when, according 
to the present invention, an adaptation of the 
parameters is made at the input and output of the CAVE 
algorithm. As a result, no modifications are needed in 

15 the CAVE algorithm itself, nor it is necessary to depart 
from the GSM specifications elsewhere than in the 
calculation of SRES in the AUC/HLR and the MS. 

The preferred embodiments of the parameter 
adaptation according to the invention will now be 

20 described with reference to Figs. 6 and 7. 

Referring now to Fig. 6, the authentication 
centre AUC according to the invention comprises a 
database 6 0 and a random number generator 61 which are 
similar to the database 20 and generator 21 shown in 

25 Fig. 2. The database 60 stores the 128 -bit 
authentication keys Ki according to the GSM 
specifications for all mobile subscribers of the GSM 
network, indexed by the IMSIs. The IMSI by which the K A 
is selected for furher calculation is receide from a 

3 0 signalling interface 67 which receives it from HLR or 
VLR, eg. in the SEND PARAMETERS message. The random 
number generator 61 provides the 128 -bit random numbers 
RAND in accordance with the GSM specifications. 

The Ki and RAND are inputs to the ciphering 

3 5 algorithm A8 which calculates the 64 -bit ciphering key K c 
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in accordance with the GSM specifications. In other 
words, the calculation of is identical to that 

described with reference to Fig. 2. 

The 128 -bit RAND is also an input to a truncation 
5 unit 62 which truncates the RAND into 24 -bit truncated 
RAND (TRAND) . The TRAND may contain, for example, 24 
most significant bits of RAND. It is appreciated, 
however, that the truncation operation as used herein is 
intended' to cover any method to derive 24 -bit random 

10 number TRAND from the 12 8 -bit random number RAND. It 
should be noted that although the lenght of Ki is 128 
bits in the preferred embodiment, it may have any length 
of N bits, where N is integer less than or equal to 128. 
Consequently, lenght M of TRAND depends on N, being 

15 M=152-N bits . 

The 24 -bit TRAND is then inputted to a combining 
unit 63, the other input of unit 63 being the 128 -bit 
authentication key K t . The output of the combining unit 
63 is a 152-bit combination COMP of K 4 and TRAND. The- 128 

20 most significant bits of the COMP may contain the K ± and 
the 24 least significant bits may contain the TRAND. It 
is appreciated, however, that the combination operation 
as used herein is intended to cover any method, e.g. a 
logical operation, to derive 152 -bit value by combining 

25 K L and TRAND. 

The 152 -bit COMP parameter meets the requirements 
set on the input parameter of the CAVE algorithm in the 
calculation unit 65. Thus, the parameter adaptation 
according to the invention derives . a CAVE compatible 

3 0 input parameter from the GSM compatible input parameters 
K L and RAND. As a result of the calculation, the CAVE 
calculation unit 65 outputs a 18 -bit output parameter. 

The 18 -bit output parameter from the CAVE is then 
inputted to the padding unit 64 in which 14 stuff bits 

35 will be inserted so as to obtain a 32-bit value. The 14 
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stuff bits may establish, for example, the 14 least 
significant bits of the 32-bit parameter, the 18 most 
significant bits containing the 18-bit output from CAVE 
65. It is appreciated, however, that the padding 
5 operation as used herein is intended to cover any 
method, e.g. logical operation, to lengthen the 18-bit 
CAVE output parameter by 14 bits to obtain 32 bits. 

The resulting 32 -bit output parameter will be 
then used as the signed response SRES according to the 
10 GSM specifications. Thus, the parameter adaptation 
according to the invention derives a GSM compatible 
output parameter from a CAVE compatible output 
parameter . 

The three GSM compatible security parameters 

15 SRES, K c and RAND will be inputted to a triplet building 
unit 66 in which a standard GSM triplet is built. The 
triplet will be transferred to HLR or VLR via the 
signalling interface 67. Thus, the SRES will be 
transferred and processed in the GSM network in a 

20 similar manner as the standard SRES. 

Referring now to Fig. 7 # the mobile station MS 
according to the invention stores a copy of the. 
ciphering key Ki of the mobile subscriber in a memory 75. 
The MS also comrises a calculation unit 76 carrying out 

25 the ciphering algorithm A8, and a calculation unit 77 
carrying out the CAVE algorithm for authentication. On 
receiving the AUTHENTICATION REQUEST message from the 
MSC/VLR, the of the MS, which contains the hardware and 
software specific to the radio interface, the mobile 

30 equipment 78, extracts the RAND form the message, and 
then inputs the RAND and the stored K A to the A8 
calculation unit 76 for calculation of the ciphering key 
K c . In the preferred embodiment of the invention all the 
functional blocks except 78 are located in the 

35 Subscriber Identity Module or SIM of the MS. 
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The 128 -bit RAND is also an input to a truncation 
unit 72 which truncates the RAND into 24 -bit TRAND. The 
truncation unit 72 is identical to the truncation unit 
62 shown in Fig. 6- 
5 The 24 -bit TRAND is then inputted to a combining 

unit 73, together with the 128 -bit K t . The output of the 
combining unit 73 is a 152 -bit COMP . The combining unit 
73 is identical to the combining unit 63 shown in Fig. 
6 . 

10 The 15 2 -bit COMP is then inputted to the CAVE 

calculation unit 77 which outputs a 18 -bit output 
parameter . 

The 18 -bit output parameter from the CAVE 77 is 
inputted to a padding unit 74 in which 14 stuff bits are 
15 attached so as to provide a 32-bit value. The padding 
unit 74 is identical to the padding unit 64 shown in 
Fig. 6. 

The resulting 3 2 -bit output parameter will be 
then used as the SRES parameter according to the GSM 

20 specifications. The SRES will returned to the mobile 
equipment 78 and sent further to the MSC/VLR in the 
AUTHENTICATION RESULT message and processed in the 
MSC/VLR as in the standard GSM system. 

An example of alternative embodiments for 

25 deriving the 152 -bit CAVE input parameter from the N-bit 
Ki and RAND parameters is shown in Fig. 8. In the 
following examples N=128 but it may be any positive 
integer in these embodiments. K A will be divided into two 
parts: 104 bits of the K t , e.g. 104 LSB bits, are 

30 inputted to an input of a logical unit 81. The remaining 
24 bits of K £ are inputted to a combiner 82. Similarly, 
RAND will be divided into two parts: 104 bits of the 
RAND, e.g. 104 MSB bits, are inputted to the logical 
unit 81. The remaining 24 bits of RAND are inputted to 

35 another input of the combiner 82. A logical operation, 
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such AND, OR or exclusive OR (XOR) , is performed between 
the two 104-bit inputs, and a single 104-bit output is 
provided. The 104 -bit output from the logical unit 81 is 
inputted to the combiner 82. The combiner 82 assembles 
5 the two 24 -bit inputs and the 104 -bit input into a 152- 
bit parameter to be inputted to the CAVE algorithm. When 
applied in the authenticatication center of Fig. 6 and 
in the mobile station of Fig. 7, the logical unit 81 and 
the combiner 82 will substitute for the truncation unit 

10 62,72 and the combiner 63,73, respectively. 

As a further modification to the embodiment of 
the Fig. 8, the 104 bits of K 4 and the 104 bits of RAND 
may be subdivided into equal number of subblocks, and 
different logical operations are performed between 

15 different subblocks. There may be four subsblocks of 26 
bits, for example. 

The drawing and the associated description is 
solely intended to ilustrate the present invention. 
Changes and modifications will apparent to a skilled 

2 0 person in the art without departing from the scope and 
spirit of the attached claims. 
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Claims 



1. An authentication center for a mobile 
5 communications network, comprising 

a database storing an authentication key for each 
subscriber of said mobile communications network, said 
authentication key being an input parameter for 
calculation of a ciphering key and an authentication 
10 response parameter and in a format required by a first 
authentication procedure, 

a source of a random number, said random number 
being another input parameter for calculation of a 
ciphering key and an authentication response parameter 
15 and in a format required by said first authentication 
procedure, 

an encryption key calculation unit having said 
authentication key from the database and a random number 
from said source of random numbers as input parameters 

2 0 and outputting a ciphering key in a format according 

to said first authentication procedure, 

an authentication response parameter calculation 
unit requiring a single input parameter and outputting 
an authetication response parameter in a format other 
25 than the format of the authentication response parameter 
according to said first authentication procedure, 

a first adaptation unit responsive to said 
authentication key and said random number as input 
parameters for providing said single input parameter to 

3 0 said authentication response calculation unit, 

a second adaptation unit responsive to said 
authentication response parameter outputted by said 
authentication response parameter calculation unit for 
providing said authentication response parameter 
3 5 according to the first authentication procedure. 
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2 . An authentication parameter processing unit in 
a mobile station, comprising 

a memory storing an authentication key for a 
mobile subscriber using said mobile station, said 
5 authentication key being an input parameter for 
calculation of a ciphering key and an authentication 
response parameter and in a format required by a first 
authentication procedure, 

a source of a random number, said random number 
10 being another input parameter for calculation of a 
ciphering key and an authentication response parameter 
and in a format required by said first authentication 
procedure , 

an encryption key calculation unit having said 
15 authentication key from the database and a random number 
from said source of random numbers as input parameters 
and outputting a ciphering key in a format according 
to said first authentication procedure, 

an authentication response parameter calculation 
20 unit requiring a single input parameter and outputting 
an autheticat ion response parameter in a format other 
than the format of the authentication response parameter 
according to said first authentication procedure, 

a first adaptation unit responsive to said 
25 authentication key and said random number as input 
parameters for providing said single input parameter to 
said authentication response calculation unit, 

a second adaptation unit responsive to said 
authentication response parameter outputted by said 
3 0 authentication response parameter calculation unit for 
providing said authentication response parameter 
according to the first authentication procedure. 

3 . An authentication method for a mobile 
communications network, comprising steps of 
35 utilizing an authentication procedure intended to 
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be used with a first authentication response calculation 
method, 

utilizing a second authentication response 
calculation method instead of said first authentication 
5 response calculation method, 

providing an authentication key compatible with 
said first authentication response calculation method 
but incompatible with said second authentication 
response calculation method, for each subscriber of said 
10 mobile communications network, 

generating a random number compatible with said 
first authentication response calculation method but 
incompatible with said second authentication response 
calculation method, 
15 deriving an input parameter compatible with said 

second authentication response calculation method from 
said authetication key and said random number, 

calculating by said second autentication response 
calculation method an authentication response 
20 incompatible with a authentication response format of 
said' authentication prosedure utilized in said mobile 
communications network, 

modifying said authentication response into a 
format compatible with said authentication response 
25 format of said authentication procedure, 

transferring and storing said authentication 
response in said mobile communications network in said 
format compatible with said authentication procedure. 

4 . An authentication method for a GSM based 
3 0 mobile communications network, comprising steps of 

utilizing a GSM based authentication procedure 
intended to be used with a GSM based authentication 
response calculation method, said GSM based 
authentication response calculation method comprising 
3 5 128 -bit random number RAND and N-bit authentication key 
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K L as input parameters and a 3 2 -bit signed response SRES 
as an output parameter, N being a positive integer, 

utilizing a CAVE calculation method as an 
authentication response calculation method instead of 
5 said GSM based authentication response calculation 
method, said CAVE method comprising a 152 -bit input 
parameter and a 18 -bit output parameter, 

providing unique value of said N-bit K L for each 
subscriber of said mobile communications network, 
10 storing said values of K L in a database in an 

authentication center, 

receiving a request to provide said SRES for one 
of said mobile subscribers, 

retrieving said N-bit Ki of said one of said 
15 mobile subscribers from said database, 

generating said 128-bit RAND, 

deriving said 152 -bit input parameter from said 
N-bit ^ and 128-bit RAND, 

calculating by said CAVE calculation method said 
20 18 -bit output parameter, 

padding 14 additional bits into said 18 -bit 
output parameter to obtain said 32-bit SRES, 

transferring and storing said 3 2 -bit SRES in said 
GSM based mobile communications network according to 
25 said GSM based authentication procedure. 

5. A method according as claimed in claim 4, 
wherein said step of deriving comprises steps of 

truncating said 128-bit RAND into (152-N)-bit 
truncated RAND, N being an integer less than or equal to 
30 128, 

combining said (152-N) -bit truncated RAND with 
said N-bit Ki to obtain said 152 -bit input parameter. 

6. An authentication method for a GSM based 
mobile communications network, comprising steps of 
35 utilizing a GSM based authentication procedure 
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intended to be used with a GSM based authentication 
response calculation method, said GSM based 
authentication response calculation method comprising 
12 8 -bit random number RAND and N-bit authentication key 
5 Kj, as input parameters and a 3 2 -bit signed response SRES 
as an output parameter, N being a positive integer, 

utilizing a CAVE calculation method as an 
authentication response calculation method instead of 
said GSM based authentication response calculation 
10 method, said CAVE method comprising a 152-bit input 
parameter and a 18-bit output parameter, 

storing an unique value of said N-bit K L provided 
for a mobile subscriber in a memory of a mobile station, 
receiving from a base station by said mobile 
15 station an authentication request including said 128 -bit 
RAND, 

retrieving said N-bit K A from said memory, 

deriving said 152 -bit input parameter from said 
N-bit Ki and 128-bit RAND, 
20 calculating by said CAVE calculation method said 

18-bit output parameter, 

padding 14 additional bits into said 18 -bit 
output parameter to obtain said 3 2 -bit SRES, 

transmitting said 32 -bit SRES to said base 

25 station. 

7. A method according as claimed in claim 6, 
wherein said step of deriving comprises steps of 

truncating said 128-bit RAND into (152-N) -bit 
truncated RAND, N being an integer less than or equal to 
30 128, 

combining said (152-N) -bit truncated RAND with 
said N-bit K L to obtain said 152-bit input parameter. 

8 . An authentication parameter calculation unit 
for a mobile communication system, comprising 

35 a CAVE algorithm calculator having a first input 
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for receiving a 152 -bit input parameter, and an output 
for output ting a 18 -bit output parameter, 

a first adaptor having a first input for 
receiving 128 -bit random number RAND, a second input fo 
5 receiving a N-bit authentication key K it and an output 
for outputting said 152 -bit input parameter derived from 
said N-bit K ± and 128-bit RAND to said input of said CAVE 
algorithm calculator, N being a positive integer, 

a second adaptor having an input for receiving 
10 said 18-bit output parameter CAVE algorithm calculator, 
and an output for outputting a 3 2 -bit signed response 
SRES, wherein K ± , RAND and SRES are GSM-based 
authentication parameters. 
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